Media-Tool Trouble

Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in libgd, mtink, zip, ruby, Samba,
freeamp, Kaffeine and gxine, Portage, zgv, shadow, and BNC.

libgd

The libgd library is an ANSI C library that provides for the dynamic creation
of images in PNG, JPEG, GIF, and other formats. A bug in code that handles PNG-formatted images has been reported. Under some conditions, it may be exploitable
by an attacker using a carefully crafted PNG file and result in arbitrary
code being executed on the victim's machine. libgd is used in PHP, and one possible
vector of attack is in photo web sites that allow users to upload images and
then process those images with a PHP script.

All users of libgd or linked applications (such as PHP) should evaluate their
risk of exposure due to this bug, and take appropriate steps. Users should watch
their vendors for repaired packages for affected applications. Repaired versions
are available for Ubuntu and Debian GNU/Linux.

mtink

mtink, a status monitor and ink-cartridge changer for Epson
printers, is reported to be vulnerable to a temporary-file, symbolic link race
condition that may, under some conditions, be exploited by a local attacker
to overwrite arbitrary files on the system with the permissions of the user
running mtink (root, in most cases).

Users of mtink should watch their vendors for an updated package.

zip

The archive utility zip is reported to be vulnerable to a buffer overflow
when an archive file with a very long name is unpacked. A remote attacker could
create a carefully crafted zip archive file that, when opened by the victim,
would execute arbitrary code with the victim's permissions.

Anyone using zip should exercise care when opening .zip files until they have
upgraded their version of zip to a repaired version. A repaired version is available
for Gentoo Linux.

ruby

The programming language ruby has a vulnerability in its CGI:Session's
FileStore functionality that causes session information to be stored
insecurely. In addition, the CGI module also has a bug that can be used by
a local attacker to cause an infinite loop that can be used in a denial-of-service attack.

All affected users should upgrade as soon as a package becomes available. Updated packages have been released for Mandrake, Gentoo, and
Debian GNU/Linux.

Samba

A problem in the code that handles wildcards in filename strings may be exploitable
by a remote attacker in a denial-of-service attack that can cause a high load
on the victim's machine or, in some cases, make it not respond at all.

The Samba development team has released a patch to Samba 3.0.7. Users should
upgrade to Samba 3.0.7 with this patch applied as soon as possible.

freeamp

freeamp is an open source MP3 player that has been replaced by the ZINF (ZINF
Is Not FreeAmp!) audio player. ZINF is based on the source code of freeamp,
but does not use a trademarked word as part of its name. The playlist module
of freeamp is vulnerable to a buffer overflow that could, under some circumstances,
result in arbitrary code being executed with the permissions of the user running
freeamp.

All affected users of freeamp/ZINF should upgrade to a repaired version as
soon as it is available.

Kaffeine and gxine

Kaffeine and gxine are media players that use the xine video library for video
playback and video processing. Kaffeine is a media player for KDE3. Both applications
share code that provides processing for Content-Type headers. This Content-Type
header code contains a buffer overflow that could, under some conditions, be
exploited by a remote attacker who controls an HTTP server to which the user has connected. The attacker may be able to create a RealAudio .ram playlist
that, when read by Kaffeine or gxine, will result in a buffer overflow and the
execution of arbitrary code on the victim's machine.

Users of Kaffeine or gxine should exercise great care until repaired versions
have been installed.

Portage

Portage, Gentoo Linux's package management tool, is vulnerable to a temporary-file, symbolic link race condition that can be exploited by a local attacker
to overwrite arbitrary files with the permission of the user running the dispatch-conf
or qpkg scripts.

All users of Gentoo Linux should upgrade their Portage and gentoolkit packages
as soon as possible.

zgv

zgv is a console-based image viewer. Some versions of zgv are reported to
be vulnerable to multiple buffer overflows. The attack is conducted by the
attacker creating a carefully crafted image file, and the victim then viewing
it with zgv. The resulting buffer overflow can result in arbitrary code being
executed as root or as the user running zgv.

It is recommended that users watch their vendors for a updated version or upgrade
to zgv version 5.8 and apply the patch available from zgv's home page.

shadow

A bug in the shadow suite of tools can be abused by a local user who is logged
in but has an expired password. The chfn and chsh tools can be used to
change account information without the user being forced to change his or her password.

Users should upgrade to a repaired shadow utility package when it becomes available.

BNC

BNC is an Internet relay chat (IRC) proxying server. BNC has a buffer overflow
in the function getnickuserhost() that may be exploited by a remote attacker
as a denial-of-service attack. It is not known if this buffer overflow can
be exploited to execute code or to gain additional permissions on the victim's
machine.

It is recommended that users of BNC upgrade to version 2.9.0 as soon as possible.